Method of Configuring a Node, Related Node and Configuration Server

ABSTRACT

A method for configuring a node, said node holding a public key depending on an identifier relating to said node, a related secret key and an address of a configuration server storing sets of configuration parameters for respective nodes, the method comprising the following steps carried out at the configuration server:
         identifying said node by use of an identity based identification algorithm taking account of said public and secret keys; and   when said node has been successfully identified, retrieving the set of configuration parameters stored for said node and transmitting said set of configuration parameters to said node.

BACKGROUND OF THE INVENTION

The present invention relates to node configuration.

The term ‘node’ is to be understood here as any device or system capableof communicating with at least another node. It includes very basic chipcards, RFID (Radio Frequency Identification Chip) tags, sensors, mobilephones, PDAs (Personal Digital Assistants), base stations, servers,gateways, or even whole telecommunication networks. As a non-limitingexample, a node may be an access point of an Ambient Network.

In order to be able to interact with its environment, a node requiressome configuration. Of course, such configuration may differ dependingon the nature of the node. But it can also depend on the variety ofpossible environments the node can meet. The environment may even varyin time, especially as far as mobile nodes moving in a radio environmentare concerned.

Bandwidth, power, IP versions, IP addresses, security keys, proxy serveraddresses are some examples of configuration parameters an updateversion of which a node should be aware in order to communicate.

Due to the above mentioned multiplicity of nodes and environments, it isnot easy to store relevant and appropriate configuration parameters inany node once and for all when building it.

Therefore, there is a need for providing any kind of node with relevantand appropriate configuration parameters.

SUMMARY OF THE INVENTION

The invention proposes a method for configuring a node, said nodeholding a public key depending on an identifier relating to said node, arelated secret key and an address of a configuration server storing setsof configuration parameters for respective nodes, the method comprisingthe following steps carried out at the configuration server:

-   -   identifying said node by use of an identity based identification        algorithm taking account of said public and secret keys; and    -   when said node has been successfully identified, retrieving the        set of configuration parameters stored for said node and        transmitting said set of configuration parameters to said node.

In this way, the node does not have to store much information or veryspecific information initially, since only a public key, a secret keyand an address of a configuration server are needed. Moreover, due tothe fact that the public key depends on said identifier, the storedinformation is particularly light, by contrast with traditional X.509certificates for instance. The configuration parameters can also beobtained at any time by the node after a simple identification by theconfiguration server. Updated versions of configuration parameters canthus be obtained quite easily.

The invention also proposes a node holding a public key depending on anidentifier relating to said node, a related secret key and an address ofa configuration server storing sets of configuration parameters forrespective nodes, said node comprising:

-   -   means for being identified by the configuration server by use of        an identity based identification algorithm taking account of        said public and secret keys;    -   means for receiving a set of configuration parameters from the        configuration server when said node has been successfully        identified.

The invention also proposes a configuration server storing sets ofconfiguration parameters for respective nodes each holding a respectivepublic key depending on a respective identifier relating to said node, arespective related secret key and an address of the configurationserver, said configuration server comprising in relation with any one ofsaid nodes:

-   -   means for identifying said node by use of an identity based        identification algorithm taking account of a said public and        secret keys relating to said node; and    -   means for retrieving the set of configuration parameters stored        for said node and means for transmitting said set of        configuration parameters to said node when means for identifying        have successfully identified said node.

The preferred features of the above aspects which are indicated by thedependent claims may be combined as appropriate, and may be combinedwith any of the above aspects of the invention, as would be apparent toa person skilled in the art.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic view of a system implementing the invention;

FIG. 2 is a schematic view of main exchanges between a node and aconfiguration server according to the invention;

FIG. 3 is a first example of configuration using the Shamir'sidentity-based identification algorithm; and

FIG. 4 is a second example of configuration using theFischer-Micali-Rackoff's identity-based identification algorithm.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows a computer device 1 a, a mobile phone 1 b and a RFID tag 1c which form respective nodes, which may be part of an Ambient networkfor instance.

As will be explained in more detail below, each one of these nodes holdsminimum required parameters for configuration purposes.

FIG. 1 also shows a configuration server 2 which contains configurationparameters for different nodes, including the nodes 1 a, 1 b and 1 c.

In the present invention, the nodes 1 a, 1 b and 1 c receive relevantand appropriate configuration parameters from the configuration server2, possibly through a communication network 3 which may contain othernodes.

Since the nodes 1 a, 1 b and 1 c get respective configuration parametersfrom the configuration server 2, they can contain very few informationinitially. This may be advantageous when building such nodes. It alsoallows the nodes to get updated configuration parameters when needed,e.g. when moving inside a radio environment.

FIG. 2 shows in more detail how a node can get configured according toan embodiment of the present invention. In this figure, a node 1, namelya mobile phone, is to be configured.

Initially, i.e. right after being built and sold to its user, the node 1may hold only three parameters: an identifier (id in FIG. 2) relating tothe node 1, i.e. which identifies either the node itself or its user andwhich may be used as a public key for the node 1 as will be explainedbelow, a function of said identifier (Ks(id) in FIG. 2) which may beused as a secret key for the node 1 as will be explained below and anaddress of the configuration server 2, e.g. an IP address (@IP in FIG.2).

As a variant, a one way function h of the identifier id (h(id)) may beheld by the node 1 instead of the identifier id itself. This one wayfunction may be a hash function, such as SHA-1 (specified in the “SecureHash Signature Standard (SHS)” by the NIST (see FIPS PUB 180-2)) or MD5(see Request For Comments 1319-121 published by the Internet EngineeringTask Force (IETF)) for instance. Of course, other one way functions maysuit as well.

Advantageously, said identifier id is unique for each node and/or user.It can explicitly define the node and/or user. As a non-limitingexample, the identifier id may include the following string:firstname.surname.city@domainname.

Alternatively, the identifier may include an identifier used for otherpurposes. For instance, when the routing protocol used between the nodeand configuration server is IP (Internet Protocol) and the allocation ofIP addresses is fixed, the identifier id may include the IP address ofthe node.

Likewise, when the node is a mobile phone for instance, it is coupled toa SIM (Subscriber Identity Module) card characterizing the user of themobile phone. The SIM card contains a user identity called IMSI(International Mobile Subscriber Identity), which could be included inthe identifier id for configuration purposes according to the invention.

Although the node 1 may hold the three above mentioned parameters only,it may also hold additional parameters. However, it will be understoodthat most or all the configuration parameters intended to be used by thenode 1 (e.g. bandwidth, power, IP versions, IP addresses, security keys,proxy server addresses, etc.) are not stored in said node initially.

The secret key Ks(id) may be provided to the node 1 in many differentways. In the example illustrated in FIG. 2, a secret generator 18 is theentity that generates Ks(id) by applying a trapdoor function to theidentifier id (or h(id)) relating to the node 1. The secret generator 18then sends the secret key generated to the node 1 (step 4).

On the other hand, the configuration server 2 has access to a database 2a which may be internal or external. This database 2 a stores sets ofconfiguration parameters CP₁,CP₂, . . . ,CP_(n) for respective nodesidentified by id₁,id₂, . . . ,id_(n) respectively.

In step 5, the configuration server 2 identifies the node 1 by use of anidentity based identification algorithm. This identification step may berequested by the node 1. During this step, the node 1 and theconfiguration server 2 exchange messages. Messages can be sent from thenode 1 to the configuration server 2 due to the fact that the node 1knows the address @IP of the configuration server 2.

Non-limiting examples of identity based identification algorithms willbe described below with reference to FIGS. 3 and 4. The particularity ofsuch algorithms is that they take account of a public key which dependson an identifier relating to the entity to be identified. They also takeaccount of a related secret key also depending on said identifier, sincethe secret key derives from the public key by use of a trapdoorfunction.

At the beginning of the identification step 5, the node 1 sends itsidentifier id (or h(id)) to the configuration server 2. Theconfiguration server 2 then authenticates whether or not the node 1 isreally the one with said identifier id.

When the configuration server 2 has successfully identified the node 1,it is capable of retrieving the corresponding set of configurationparameters CP in the database 2 a, from the identifier id (or h(id)). Itcan then transmit CP to the node 1 (step 6). As mentioned above, theidentifier id may include a routing address such as the IP address ofthe node, which allows CP to be sent from the configuration server 2 tothe node 1. In this way, the node 1 finally holds the neededconfiguration parameters, which makes it able to communicate properlywith other nodes.

The transmission of the configuration parameters CP from theconfiguration server 2 to the node 1 may be carried out in clear or inan encrypted way. The encryption can be performed in different ways. Afirst possibility is to establish a secure tunnel between theconfiguration server 2 and the node 1 as well known. A secondpossibility is to use an identity based encryption algorithm, such asthe Cocks' algorithm described in the article “An Identity BasedEncryption Scheme Based on Quadratic Residues”, Cryptography and Coding,8th IMA International Conference, 2001, pp360-363, or theBoneh-Franklin's algorithm “Identity-Based Encryption from the WeilPairing”, Advances in Cryptology—Proceedings of CRYPTO 2001 (2001).

When using an identity based encryption algorithm, the configurationserver 2 encrypts the transmission of CP with a public key which may bedifferent from the one used to identify the node 1. Typically, thissecond public key may use a hash function h′ different from h. Thesecond public key may also depend on an identifier of the configurationserver 2 in addition or in replacement of the identifier id relating tothe node 1. In this case, the node 1 should further hold a second secretkey initially in order to decrypt the messages received from theconfiguration server 2.

It should be noted that the use of an identity based identificationalgorithm to identify the node is really advantageous, because somenodes may have very low power/memory which might prevent them fromembedding a heavy X.509 certificate traditionally used foridentification or authentication purposes. The heavy PKI (Public KeyInfrastructure) infrastructure is also avoided. Moreover, the exchangesbetween the node and the configuration server are quite light and thuscompatible with low bandwidth systems.

FIG. 3 shows an example of configuration of a node 1 including anidentity-based identification using the Shamir's algorithm described in“Identity-based cryptosystems and signature schemes”, Proceedings ofCRYPTO'84, LNCS 196, page 47-53, Springer-Verlag, 1984.

In this example, the public key for the node 1 includes the identifierid. Advantageously, the public key may also incorporate otherinformation, such as an expiry date for configuring the node 1, in whichcase the configuration parameters may be sent to the node 1 only if thecurrent date is no later than this expiry date. This public key is idsent to the configuration server 2 by the node 1.

Moreover, the node 1 has been provided with Ks=(id)^(d)[n] as a secretkey, where [·] designates the modulo operation, n=p·q, p and q being twolong prime integers and d is an integer such that ed=1 [(p−1)(q−1)], ebeing another integer. While e and n are public, p and q are not (i.e.the factorization of n is not public).

The node 1 generates a random number r and calculates t=r^(e)[n] ands=Ks·r^(f(t,m))[n], where f is a one way function which may be the abovementioned function h, e.g. a hash function such as SHA-1 or MD5, and mis a known message. Advantageously, m can be set to id. The node 1 thensends t and s to the configuration server 2 (steps 7 and 8).

The configuration server 2 calculates s^(e)=(Ks)^(e)·r^(e·f(t,m))[n] andchecks whether it equals id·t^(f(t,m))[n]. If the check is positive, theconfiguration server 2 concludes that the node 1 is really the onerelating to the identifier id, which means that the node 1 has beensuccessfully identified. The configuration server 2 can then retrievethe configuration parameters CP corresponding to this id and return themto the node 1 (step 9).

FIG. 4 shows another example of configuration of a node 1 including anidentity-based identification using the Fischer-Micali-Rackoff'salgorithm described in “A secure protocol for the oblivious transfer”,1984, presented at EuroCrypt 84.

The node 1 holds h(id) as a public key and sends it (or id) to theconfiguration server 2. Like in the previous example, the public key mayalso incorporate other information, such as an expiry date forconfiguring the node 1.

The node 1 also holds, as a secret key, Ks={square root over(√h(id))}[n], where n=p·q, p and q being two secret long primes.Although h(id) is public, a third party cannot easily obtain Ks, sincethe calculation of the square root requires to know the factorization ofn (Chinese remainder theorem).

The node 1 chooses a random number r, calculates x=r²[n] and sends x tothe configuration server 2 (step 11). The configuration server 2 returnsa challenge “0” or “1” to the node 1 (step 12).

If “0” is received by the node 1, the latter sends r to theconfiguration server 2 (step 13). In this case, the configuration server2 calculates r² and checks whether this equals x[n] (step 14).

If “1” is received by the node 1, the latter sends y=r·Ks to theconfiguration server 2 (step 15). In this case, the configuration server2 calculates y² and checks whether this equals x·h(id)[n] (step 16),which is possible because the public key h(id) is known to theconfiguration server 2. If the check is positive, which means that thenode 1 has been successfully identified, the configuration server 2retrieves the configuration parameters CP corresponding to id and returnthem to the node 1.

A sequence including successive challenges “0” or “1” (e.g. one “0” andthen one “1”) may advantageously be transmitted to the node 1 by theconfiguration server 2, before the latter transmits the relevantconfiguration parameters CP to the node 1.

In a non-limiting example of application of the present invention, thenode to be configured may be a home gateway (HGW). A HGW provides aradio interface similar to that of a cellular infrastructure, and itinterfaces with a cellular network. The coverage of the HGW can beconsidered as a cell of the network, to which it is fully integrated.For such a node, the configuration parameters to be provided by theconfiguration server may include a radio network controller address,scrambling codes, a location area code, a routing area code, a referencemacrocell identity, etc.

Of course, the present invention may apply to various other types ofnodes as well.

1. A method of authorizing a first node for receipt of information froma communication network, the first node having a public key which is afunction of an identifier associated with the first node and a secretkey related to the public key, the method comprising, at a second nodeof the communication network: authenticating the first node using anidentity-based authentication algorithm based on the public key and thesecret key; and when the first node is successfully authenticated,permitting the first node to receive information from the communicationnetwork.
 2. The method of claim 1, wherein the public key is theidentifier associated with the first node.
 3. The method of claim 1,wherein the public key is derived from the identifier associated withthe first node.
 4. The method of claim 1, wherein authenticating thefirst node using an identity-based authentication algorithm comprises:receiving information from the first node at the second node; andconfirming, at the second node, that the received information wasderived using the secret key for the first node.
 5. The method of claim1, wherein permitting the first node to receive information from thecommunication network comprises transmitting information from the secondnode to the first node.
 6. The method of claim 1, wherein permitting thefirst node to receive information from the communication networkcomprises transmitting configuration information from the second node tothe first node.
 7. The method of claim 1, wherein, before the first nodeis authenticated by the second node, the first node has no parametersfor accessing the communication network other than the public key, thesecret key and at least one network address, the at least one networkaddress comprising a network address of the second node.
 8. The methodof claim 1, wherein the public key comprises a one-way function of theidentifier associated with the first node.
 9. The method of claim 8,wherein the one-way function comprises a hash function.
 10. The methodof claim 1, further comprising: generating the secret key from theidentifier associated with the first node; and providing the secret keyto the first node.
 11. The method of claim 1, further comprisingtransmitting information to the first node via the communicationnetwork.
 12. The method of claim 11, wherein transmitting information tothe first node comprises transmitting encrypted information to the firstnode.
 13. The method of claim 12, wherein transmitting encryptedinformation to the first node comprises transmitting informationencrypted using identity-based encryption.
 14. A system for authorizinga first node for receipt of information from a communication network,the first node having a public key which is a function of an identifierassociated with the first node and a secret key related to the publickey, the apparatus comprising a second node of the communicationnetwork, the second node comprising: a communication interface; and aprocessor coupled to the communication interface, the processor beingconfigured: to authenticate the first node using an identity-basedauthentication algorithm based on the public key and the secret key; andwhen the first node is successfully authenticated, to permit the firstnode to receive information from the communication network.
 15. Thesystem of claim 14, wherein the public key is the identifier associatedwith the first node.
 16. The system of claim 14, wherein the public keyis derived from the identifier associated with the first node.
 17. Thesystem of claim 14, wherein the processor is configured to authenticatethe first node using an identity-based authentication algorithm by:receiving information from the first node at the second node; andconfirming, at the second node, that the received information wasderived using the secret key for the first node.
 18. The system of claim14, wherein the processor is configured to permit the first node toreceive information from the communication network by transmittinginformation via the communication network to the first node.
 19. Thesystem of claim 14, wherein the processor is configured to permit thefirst node to receive information from the communication network bytransmitting configuration information via the communication network tothe first node.
 20. The system of claim 14, wherein, before the firstnode is authenticated by the second node, the first node has noparameters for accessing the communication network other than the publickey, the secret key and at least one network address, the at least onenetwork address comprising a network address of the second node.
 21. Thesystem of claim 14, wherein the public key comprises a one-way functionof the identifier associated with the first node.
 22. The system ofclaim 21, wherein the one-way function comprises a hash function. 23.The system of claim 14, further comprising a secret generatorconfigured: to generate the secret key from the identifier associatedwith the first node; and to provide the secret key to the first node.24. The system of claim 14, wherein the second node is configured totransmit information to the first node via the communication network.25. The system of claim 24, wherein the second node is configured totransmit information to the first node by transmitting encryptedinformation to the first node.
 26. The system of claim 25, wherein thesecond node is configured to transmit encrypted information to the firstnode by transmitting information encrypted using identity-basedencryption.